Custom DNSBL rules or Group Alias [FQDN]
-
Hello,
I've searched for this, but couldn't find a clear answer, so I would appreciate some help.
I want to block a list of domains, but only for specified IPs in my network. What's the better way to accomplish that?
I know that creating an Alias and manually setting all FQDN hosts would made it, but I would like to use lists, since they can be more easily worked with. If that could be done with pfBlockerNG, would be great (:Thanks in advance.
-
@none-0 In pfSense you can create aliases (group lists) either manually, or by referencing a local text file, or by referencing a textfile on a HTTP URL.
So if you have a webserver somewhere, place your text file with client IP’s that needs to be blocked, and reference that in a pfSense Alias.
In pfBlockerNG you then ask it to create a “DENY ALIAS” instead of actually creating automatic block rules. This will result in a similar ALIAS group like you just created from your text file, but this time it contains all the sites/feeds you asked pfBlockerNG to block.
Then you create your own block rule with your Client Alias list as source, and the pfBlockerNG DENY ALIAS as destination.
It’s pretty neat actually, as you can fine tune how often pfSense refreshes your Client list alias (Downloads your text file again). This is done in advanced - turnables
-
@keyser, but using a list of domains in IPv4 won't really work, right?
I tried it, but the domains were still accecible, probably because they're using different IP from those pfblockerng created based on the domain list (big sites that use more than 1 IP).
Or this should work, and I messed something? :p -
@none-0 Uhh, I’m a little confused.. You are not looking to create lists of clients that needs to be blocked, but rather create you own list of domains that clients are banned from reaching?
If that’s the case then just add your list (text file placed on a webservice) as a feed in a new “DNSBL Group” you create yourself. This will make pfBlockerNG import the list and instruct the Unbound DNS server on pfSense to not resolve those domainnames correctly, but rather block them (like any of the built-in feeds in pfBlockerNG).
-
@keyser Yes! Sorry for the confusion.
I want to use a list of domains to be blocked only on specified clients.
Just as your example with IPv4, but instead of a list of IPs, I would use a list of domains.If I add the list in the DNSBL group, it will block them to all the clients on the interface, right?
Is there a way to only block the domain list (FQDN) to espeficied ips in my network? -
@none-0 Ahh, now I get where you are going - sorry for the misunderstanding...
Yeah, having DNSBL block request for domain names in your own list will by default have effect for all clients.
I believe it is possible to have different "views" (replies) from Unbound DNS depending on which client IP address/range you come from. But it is not at firewall rule setting - it's an advanced setting made in Unbound DNS.
I have no idea if BBCAN177 has made it possible to use selective Unbound DNS views, based on DNSBL Group lists combined with client source specification.
Before python mode was the new black, I believe one could create a Unbound View yourself, which made some clients see DNS with pfBlockerNG lists included - others just saw regular open DNS.But I can't help you here as I have never tried it.
Perhaps a search here for "Unbound View" can come up with something.
-
Alright, thanks for the help, @keyser!